Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the world talks security.

Kacy Zurkus:
Hello and welcome to this edition of our RSAC 365 podcast series. Today, we'll be talking with two guests from MITRE, who are excited to share some advanced insight into what readers can look forward to, in their refreshed and updated edition of, 11 Strategies for Operating a World Class Cybersecurity Operation Center, the CSOC. I'm joined today by Kathryn Knerler and Ingrid Parker, who co-authored the book with Carson Zimmerman. Before I turn it over to Kathryn and Ingrid to introduce themselves, I do want to remind our listeners that here at RSAC we host podcasts twice a month, and I encourage you to subscribe on SoundCloud or your preferred podcast app, so you can be notified when new tracks are posted. And now I'd like to ask my guests to take a moment to introduce themselves. Ingrid, let's start with you.

Ingrid Parker:
Great. Thanks Kacy, really appreciate the opportunity to talk with you today. So my current role is as a division chief engineer within the MITRE corporation. And in this role, I get to work with our sponsor across a number of different cybersecurity areas. So that means one day I might be working with Hunt and cyber threat intel team, helping them to better integrate their functions, and the next day I might be engaging with SSO to assist them as they mature their overall cybersecurity programs. Prior to MITRE, I worked for Northrop Grumman and there I was doing hands on incident response, before I moved into forensics and malware analysis. And even before that, I was a system administrator to the army. So I hate to say, I've done full stack cyber from the zeroes and ones all the way up to working with senior decision makers. And that really is the sweet spot for me. I truly enjoy bringing together the tactical and strategic perspectives and working with organizations to think about how they unite their defensive approaches across their entire cybersecurity program.

Kathryn Knerler:
Hi Kacy, I'm glad to be here. So I've been in the cybersecurity field for decades, certainly long before it was cool. And I worked on everything from detection design and architecture to incident response and directing a security operation center. And I got my start early. I knew I wanted to work in computers because as a kid, I was motivated by creating computer game and I taught myself to code. So in high school, by that time I worked for the Navy in a co-op program from my high school and I designed a voice activated workstation prototype. And the idea there was to create something that was accessible for those who didn't know how to type. So we wanted computers to be accessible for everyone.

Kathryn Knerler:
But labor is about what you've done lately, right? So currently I'm the department manager for our Cyber New Professionals program. It's a program that I designed with my colleagues for those who are new to the cyber field and have a demonstrated interest in it. So we give a little more attention and a few more worker opportunities and more resourcing to our selected members. And that is hopefully to boost their career and start them off right in cyber security. So I think it's safe to say, at this point, I'm really passionate about ensuring that experts are passing on their knowledge to those that are coming behind us. So they can build on it rather than starting from scratch with each generation and especially true in cybersecurity operations.

Kacy Zurkus:
Thank you Kathryn and thank you Ingrid as well. And I'm glad to have both of you with me here today, as experts who are willing to share your knowledge. So appreciate you joining us. Kathryn, I want to start with you and ask if you can maybe share with our listeners, why you wrote this book? When is it coming out? What was your experience of updating the book? And what makes this book stand apart from others?

Kathryn Knerler:
We appreciate the opportunity. This is actually a second edition of the book and the first edition was written by Carson Zimmerman. And the new book is due out this upcoming winter. We've received a lot of attention. A lot of interest in the first edition and a lot of requests for the second edition of it.

Kathryn Knerler:
So the first one was dated circa 2014. So we're hoping by updating the cloud and other things, that the new one will bring us up to the present. It probably helps that it was free. We have a free PDF version and we wanted to keep the book accessible to anybody who wants it, who's out there. So the book gets people started in security operations and it provides a few pointers across a broad range of topics specific to a CSOC, of course, security operations. So in the second edition, we vamped it up to 11 strategies. So the first one was 10, you get a bonus strategy this round. So we've included this time, how to balance your CSOC incident response mission with supporting function, such as threat intelligence and threat hunting. We talk about the importance of growing staff in-house, and we talk about why the CSOC has to constantly evolve and keep moving forward.

Kacy Zurkus:
I love it. And I love that you bumped it up and everyone gets a bonus strategy in this new edition. But Ingrid, I would love to ask, there have to be more than just one more strategy that you want to add, right? So, how did you all arrive at that 11th strategy and the 11 strategies all together that you'll talk about today? Was there a consensus among you? Was there a process for negotiating, which would be the strategy that's added?

Ingrid Parker:
Yeah. So Kacy, there was absolutely no agreement on where to go with the book from the beginning and absolutely a lot of negotiating as we went through. And it wasn't because it was disagreement, it's just because there's so much content in this space, so many things we could have talked about, so many ideas that we had. So what we did is, we actually started by figuring out a few core elements that we knew we wanted to include. Things like, how has your sensing and monitoring program changed, what does cloud mean, what does zero trust mean, those types of areas, thinking about new technologies, all kinds of different pieces.

Ingrid Parker:
And we took that and actually socialized it within our company leadership to get that buy-in. Just to get us to be able to get started and start thinking about what's out there. And then we cut into the weeds fast. You can envision us in a big room, multiple whiteboards, lots of sticky notes being moved around, resources, input from other people in our company, because we have many experts in our company that know areas, may be in more depth than our core writing team did. We wanted to make sure we were bringing all those different perspectives in.

Ingrid Parker:
And I think what I found most interesting was how our thoughts about the book changed over time. Our original plan was to just do a light update of the book. But as the discussions evolved, we really realized how much had truly changed since the first edition of the book came out in 2014. And that really was about a mindset change, both in the way the SOC fits into the business and how the SOC executes it's own mission. At this point there's so much more awareness of the role of the SOC, there's such a better understanding by non-IT leadership about the importance of security operations. And this means the SOC needs to really be better positioned to explain it's role, ensure it's value. And so we added a lot of content talking about how you form a SOC, how you communicate the SOC value.

Ingrid Parker:
Then we also really thought about that evolution in technology and analysis approaches, that includes where and how to sense within your environment, how to think about the adversary. And as we were working through those changes, they were actually a lot more significant than we thought they would be. Seven years is a long time in this industry. And the amount of changes that we wanted to do, took us by surprise.

Ingrid Parker:
So when you think about those 11 strategies, it's not that we added one strategy. It really was that we took all of this content, laid it out, realized that we needed to go with kind of a new framework. We do pull in some of the old content but there was a lot that we added into it. And actually, we were really excited when we realized it fit into 11 chapters. And that seemed like the perfect way to build on the original title. We'd used to have a few appendices, so little more content than 11, but we didn't think that was cheating. So we're really happy with the fact that we were able to put in so many new ideas and bring a lot of updated thinking to where the book has gone.

Kacy Zurkus:
That's fantastic and I love... I mean, you're right, it probably could have been 20 strategies, right? But you have to make it digestible and meaningful, so that people can really take it from it and use the guidance that you're offering. And Kathryn, I know that part of the goal of this book is indeed just that, to offer guidance on how to balance the CSOC core incident response mission with other supporting functions. So can you explain a little bit about why incident response is really that acid test of your other cybersecurity practices?

Kathryn Knerler:
Yeah, definitely. Right. So incident response is the pointy end or the stabby end of the areas in cybersecurity or especially within security operations and actually across the whole enterprise. Incidents create an opportunity, they create an opportunity for on the job testing of your defense and your detections and your design. And my observation is, its really all about incident response. If you're not very good at that, you're probably not very good at the other aspects of security operations or of defense. And of course it's my opinion, it can be controversial at times. So, how you know whether your cyber defenses are working and that you're detecting malicious activity? Well, it's through your incidents and your incident response. If an intruder is in your network and an outside organization tells you about it, your defense has failed you and they failed you both in the detection and in the protection.

Kathryn Knerler:
So good responders are good at reverse engineering, how they got in, how the bad guys got in and why it went undetected. And once you figure that out, you can then adjust the defenses. So as a concrete example, if an intruder exploits a zero day or previously unpublicized vulnerability, the security operations team would determine, hopefully accurately, what happened. And then ideally they would share that information with the vulnerability management team, to ensure that the discovered vulnerability is either patched immediately or somehow the exposure to it is reduced. But if a responder doesn't know how something happens, they really can't share it with any other teams. And then the enterprise focuses on patching everything rather than prioritizing based on actual activity. So incidents are a savvy way to learn, they're not ideal, but they shouldn't be undervalued for the learning potential for the rest of the enterprise team. And often we don't share enough about what happened in incidents. So the motivation is to learn from them and adjust your defenses and prevent them. Or at least tune your detection centers, so you can find them earlier in all the unwanted activities in your enterprise.

Kacy Zurkus:
I really appreciate that perspective. I've not heard that before, in terms of the usefulness of the learning tool of incident response. I really appreciate that and I'm sure that the its expanded upon in the book, which readers will benefit from. Ingrid, I want to switch gears and talk a little bit about staffing. Because really implementing these strategies effectively, largely depends on the skillset of your team, doesn't it? So, can you share your perspective on the importance of hiring staff who have a growth mindset while also developing staff internally?

Ingrid Parker:
Absolutely. I think all of us, myself, Kathryn, Carson, we all are very weary of the shortage of the cybersecurity talent. And all of us are passionate about growing the teams we work with, whether that's somebody who's completely new to the field, somebody who's been doing this for a number of years but is ready for a new challenge. And so in the book, we really wanted to highlight the importance of mindset and growth across the full life cycle of somebody working in security operations.

Ingrid Parker:
So, that typically will start with hiring. And here we wanted to emphasize that you shouldn't just look for the candidate that can meet every one of your needs today, you really need to consider the candidate that can grow to become the person you need tomorrow. There just aren't enough people with the qualifications to make it possible to hire exactly what you have to have at this moment, you have to do that internal growth. And so when you are trying to hire, you want to find those people who show an aptitude for learning new concepts quickly. And certainly in the book, we talk about some of those best practices, like using behavioral interviewing questions. Such as, show me a time when? So that way you can get a real feel for people's ability to do problem solving in action.

Ingrid Parker:
And then once you have somebody on the team, it's time to start thinking about how they learn and grow. And when we talk about growth, it's not just the growth you might expect to come from something like mentoring or training, these are of course really important. It's also about the growth of the SOC capacity as a whole. So one area we touch on, that may not be at the front of everyone's mind, is the link between improving your SOC capabilities and your SOC personnel satisfaction.

Ingrid Parker:
So if you think about it, your SOC team members that are working with outdated tools or processing everything manually, can become frustrated really easily. And it's not to say that you have to have the newest of every technology. But if you can look for ways to improve processes so analysts can move on to the next challenge rather than feeling stuck, that's going to be a much more engaging workplace for them than if they're doing the same thing over and over every day. And if you've hired and grown those problem solvers, they're going to want those new challenges, they're not going to be wanting to do the inefficient thing. So really thinking about your SOC practices as a growth and retention strategy is really important.

Ingrid Parker:
And then finally, when you think about growth, you have to think about turnover. Turnover in a fault is inevitable. Ideally, you want that turnover to be low, but it's still going to happen. However, if you plan for it, then you can also use it as a growth opportunity for your staff. So if you've done your cross training, if you've had staff share their work and knowledge routinely, if you've had staff document their responsibilities, if they're doing them, you're going to be in a much stronger position for when you do your resignation. And then you can turn to your workforce. And ideally you're going to have people that are ready to be promoted, you're going to have people that are ready to take a lateral move to a different team, because they've been picking up these new skills as they're going along. And so it's less of an impact for your SOC every time somebody leaves, because you're already growing and shaping that team to move in there.

Ingrid Parker:
I know this sounds like a lot of work and it is. And sometimes you're going to invest a lot in someone who leaves. But we really believe that the community is still small in so many ways and that your SOC reputation matters. And if you've got a reputation as a SOC that grows people rather than burns them out, you're going to have such an easier time hiring the next person, while also retaining a higher portion of your staff. So you've really got to have that growth mindset across your entire life cycle of bringing people in and working with them in your SOC.

Kathryn Knerler:
Yeah, Ingrid is right about that. Great people beget great people. Also in security, it's important to understand that it's inevitable that these great people that you've groomed and spend all this time on, they're going to leave, even if the SOC attracts a lot of talent. So building a pipeline into that model, so plan to hire more people and to provide them with exciting opportunities and on the job training for growth. And CNP, the program I mentioned earlier was designed as a pipeline with all of this in mind.

Kacy Zurkus:
And so, Kathryn, I wonder if you can talk a little bit just about in terms of training, educating staff, what are some of the things that staff in the SOC needs to be thinking about, in terms of how do anticipate adversaries?

Kathryn Knerler:
Right. The thing about anticipating adversaries is, there is no silver bullet, there's no autopilot. You can't just connect a bunch of cyber threat intelligence data feeds that are streaming alerts into your enterprise and expect that your incident responders are going to stop your adversaries in their tracks. Instead, you have to start to understand what an adversary might do through... It's really pure brain, sweat, equity. It's through analysis, it's through knowledgeable people and sometimes it's with the aid of automation. But analysis needs to be very specific to each organization and to the intellectual property that goes along with it, for this to be effective. Taking someone else's CTI, isn't going to buy you your CTI and isn't going to buy your prevention and anticipation of adversaries. So the grand challenge or holy grail of security operations is to stop an adversary before they gain unwanted foothold in your networks.

Kathryn Knerler:
Yet, if you're seeing them in the technology, it's usually too late. So you can't rely on the technology indicators alone. By definition, we find them after the fact and after they've gotten a foothold, if you're seeing them. So the key to getting in front of them is through spending some time thinking about the adversaries and combining data in meaningful ways, through critical and creative thinking. So it's a little like chess. If you want to be great at it, you have to study not only the moves of the great players but you also have to know how to create new moves in context as they relate in the moment or in the enterprise. So in our book, we challenge security operations to examine three aspects of data to begin anticipating those adversaries.

Kathryn Knerler:
The first one is obvious, it's adversary information. So you want to look at TTPs, such as the attack framework that MITRE puts out, what are the tactics and techniques and procedures? But then you also want to sprinkle in some intelligence like thing, the, what if scenarios. What types of intellectual property have the adversaries gone after in the past? What are they interested in? How do they go for it?

Kathryn Knerler:
The second category of information is enterprise relevant. Are they even interested in your intellectual property? Or who is interested? And how good are they? And know what's important to you and focus on that. There's an old adage that applies here, if everything is important to you, then nothing is. So you really have to know what's important in your enterprise, systems and data.

Kathryn Knerler:
And then finally the third category is security operation's technical capabilities. So what is it that you operations can see? What are you monitoring? What are you looking at? But more importantly, where are your blind spots? What are you not monitoring? And what are you not looking at? That's often where you want to pay attention, especially if you're a cyber threat intelligence expert. So if you analyze the combination of these three things, you'll be increasingly better able to boost your defenses and detection, probably keep some of the adversaries out and detect some of them earlier or at least slow them down.

Kathryn Knerler:
And of course, there's a necessity of applying traditional intelligence field techniques to security. And there's a great book out there, Structured Analytic Techniques for Intelligence Analysis, very long title, by Pherson and Heuer. The more time you spend learning these techniques and the more time you spend learning and applying these two studying adversary moves in context of your enterprise, the better you get at it. Just like chess. And this idea is fairly new to SOCs. So CTI is an area that is changed significantly over time.

Ingrid Parker:
Kacy, I'd add to that, that the... I completely agree that the role of CTI has changed. A decade ago it was barely even considered, then it kind of became that additional duty as assigned. And well, that may still be the case for some smaller organizations, smaller SOCs, where you don't have as many people. There really are more and more organizations that have elevated the role of a cyber threat intelligence analyst, and really are looking for people to specialize in this area, and to bring in some of that traditional intelligence mindset as well as the technical experience. To try and bring those areas together, to provide more value to the organization.

Kathryn Knerler:
Yeah. And the thing about cyber threat intelligence, it's kind of one of those things, that's an afterthought at the moment. Like we'll get good at these other things and then maybe we'll start looking at it. But if you get the right people and someone that are really good in applying their thinking, they'll save you a lot of money. They can help you understanding which of the cyber defense products are worthwhile for preventing their adversaries that are particular to your enterprise and which ones don't buy you anything at all. So it's a worthwhile investment. With all the money we're putting out there for cyber products, its worthwhile to get a great cyber intel specialist or two on your staff.

Kacy Zurkus:
What I keep hearing is, this needs critical thinking, and the things that you should be thinking of, the things that you are maybe not thinking of. And I want to ask you Ingrid, if you can help us understand how or rather what practitioners should be thinking about, beyond the traditional enterprise IP boundaries for security operations? Things like cloud, mobile, operational technology.

Ingrid Parker:
This was an area that was top of our mind, right from the beginning. This was one of the key areas that we had on our list to take up to our senior leadership, as an area that we wanted to touch on. And it may seem like as an old concept at this point, but many organizations are still struggling to figure out what they need to do from a security operations perspective. There's been more focus on how do we actually move to the cloud and a little bit less on then how do we monitor and protect in that area. Certainly this is rapidly changing but it continues to evolve. So as you add in things like zero trust, it becomes even more complex to think about your sensing and monitoring strategy. So we wanted to make sure that we included some key points to really help people get started in this area.

Ingrid Parker:
So an example of that is visibility. One of the main challenges is how do you know what's actually happening in your collar environment. At this point, many organizations, hopefully, have moved from monitoring just at the network boundaries to monitoring their hosts, which means they could be monitoring those hosts in the cloud. But the fact is now that your in points are not actually within your own environment, that isn't enough. And there really are a lot of new types of telemetry that are available in the cloud. And so the SOC needs to go in and understand, what types of logs are available from the cloud provider. And you need to think about what types of events they can actually monitor.

Ingrid Parker:
So that might be something like the logs around your compute resources and understanding changes in your system and software configuration. Those might not have been as relevant when you're doing things in your own data center. And then they be able to build workflows specific to those types of alerts. And that may mean recooking at your SEAM, looking at your endpoint security agents, recooking at your forensics tools. All of those are going to work a little bit differently in the cloud environment. So you really need to understand and work with your vendors in the community to think about how to implement all of those technologies and bring them together.

Ingrid Parker:
And I'd also add with cloud, the SOC should be really vocal about helping their constituents, their business understand the type of information that they are or aren't going to get, due to the service level agreements with their cloud providers. So the SOC should make sure that they know what they're responsible for and what they're going to do. And also who to contact when an incident occurs and when they need to work with that cloud provider to resolve it. This shift to that shared responsibility model is still challenge for a lot of SOCs. It's still something that they... If you're used to having all of the information in house, it's a new way of thinking. Again, where you got to evolve your thinking in order to be able to pull all of that together.

Ingrid Parker:
I think also as we were putting the book together, we wanted to really go beyond the cloud and start thinking about operational technology or OT. This isn't something that most organizations would want to start with. It's definitely a place where you want to make sure you've got a good handle on your routine SOC operations before you'd be thinking about going this route. But that convergence with operational technology and traditional IT enterprise is probably going to get stronger and stronger.

Ingrid Parker:
And IT is most often associated with critical infrastructure. So, this is your pipelines and your dams and those big systems. But it can include more routine elements, things like your physical security monitoring cameras or building management system for heating and cooling. All of those things can also be interconnected. And so an organization will need to start thinking about not only the damage that could be done if somebody was able to get in and change control settings on those types of technologies. But what happens when those systems are tied back to the main IT infrastructure and represent a point of weakness?

Ingrid Parker:
We acknowledge in the book, there are a lot of challenges with instrumenting and monitoring OT compared to IT. There's different protocols that are used, there's so many device vendors that have proprietary software, there's restrictions on how you can monitor due to either the processing power of a particular technology or the age of the equipment. And there just aren't as many security product available yet. So in the book, we suggest a couple places to start. That includes looking at the connection points between your OT and your IT networks or seeing if you've got OT systems that use versions of commodity operating systems like Windows or Linux rather than custom systems. So trying to find those entry points for you to be begin to look at your OT environment, without having to go out and really dive as deeply, to start with, into all the custom protocols and custom systems.

Ingrid Parker:
And we also highlight that some of the skills you've learned from traditional IT monitoring, really are still going to be directly applicable. For example, it's really important to do look in and understanding what normal looks like, so you can start looking for things that aren't. And that's something you would do within your own IT network. And it's something you can certainly do within an OT network as well or the connections between your OT and your IT network. And well, there are a lot of analysis tools that could potentially help you with this.

Ingrid Parker:
You still want to invest in getting your analyst smart on the understanding of, this is what to expect, this is how much traffic comes in, this is what a protocol looks like, this is how we should expect this environment to behave, so that they're going to be able to give that kind of heads up warning when something is not as they're expecting. And so I reemphasize, this isn't the place where your SOC's going to... Your organization gets better at the more traditional types of monitoring. We wanted to make sure we include in the books, some of these ideas for things that you could have on your roadmap to really advance and mature your SOC into that next evolution.

Kacy Zurkus:
I love it. I'm just thrilled for both of you. You both make the book sound so incredibly interesting. I am so excited for it to come out for readers to grab a hold of it and to get started with all of the guidance that you've offered here. I'm also so grateful to both of you for taking the time to join me today and to share your thoughts with our listeners. It's certainly an exciting time for both of you. So, thank you so much for carving out your time today. Before we wrap up, I'd just like to toss the baton to both of you, if either of you has any parting words for our listeners. Maybe Kathryn, we'll start with you.

Kathryn Knerler:
Yeah. I want to thank you for the time. I am really hopeful that this updated second edition of the book will strike a chord for security operations centers that are out there. But whether you're getting started in security or if you're a really advanced one and you want to kind of use it to see, do a diff almost between what you have and what might be in there. It might provide a means to examine your various functions, maybe to develop new capabilities and perhaps think about a function or two in a different way that advances you forward.

Ingrid Parker:
And I also really want to thank you for the opportunity to chat about this. Kathryn and Carson and I are very, very passionate about getting this out to the community. We certainly didn't get to cover all aspects of what's in the book, but one thing I want to bring up is that we do have a chapter on the importance of communicating broadly, collaborating often and sharing generously. And for us, this book is one of the ways that we're trying to live up to that strategy. And so my parting thought would be that I want to encourage everyone listening to think about what they can share back with the community. No matter where you are in your cyber career, you're going to have a perspective and a set of experiences to offer. And so just as we're hoping that our experiences will be of value to others, I really hope everyone else will consider what they can put out to the community as well, because this is such a community driven environment for learning.

Kacy Zurkus:
Absolutely. And if we can all think of those ways that we can pay it forward, we can work toward more secure world. I love it. Ingrid and Kathryn, thank you so much for being with us today. Listeners, thank you for tuning in. A reminder that here at RSAC, we host podcast twice a month and I encourage you to subscribe on SoundCloud or your preferred podcast app, so you can be notified when new tracks are posted. Interested in being a guest in one of our podcast, visit rsaconference.com/noncontributory to learn more. Thank you all.